API management can perform the validation of JWT access_tokens (signature + claims) to authorize calls to your endpoints, using your existing Oauth scheme.

In this case, the client completes an authentication flow with the authentication server, then calls an endpoint with the access_tokens in an authorization header, encoded as a JWT. API management will validate the signature (using either a key, if using HSA, or an openid config endpoint, if using RSA), validate claims, then forward the query to the backend service.

The configuration is done through policies. The documentation is here.

An example is:

<policies>
	<inbound>
		<base />
		<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="@((string)context.LastError.Message)" require-scheme="Bearer" require-signed-tokens="true">
			<openid-config url="https://mytest.auth0.com/.well-known/openid-configuration" />
			<required-claims>
				<claim name="roles">
                <value>admin</value>
				</claim>
			</required-claims>
		</validate-jwt>
	</inbound>
	<backend>
		<base />
	</backend>
	<outbound>
		<base />
	</outbound>
</policies>

This is effectively validate the JWT’s signature, expiry date, then verify that it contains role admin. And based on this, forward the request to the backend, or rejects it with error 401.